The Juniper EX switch must be configured to set all enabled user-facing or untrusted ports as access interfaces.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-253970	SRG-NET-000512-L2S-000011	JUEX-L2-000230	SV-253970r1082976_rule	2025-03-07	2

Description
By default, unconfigured (or expressly disabled) Junos interfaces are unusable. Any enabled interface configured with the family ethernet-switching uses interface-mode access by default, which meets this requirement. Trunked interfaces must be explicitly configured for operational requirements (e.g., interswitch links), which makes them trusted and not user-facing. Configuring enabled user-facing or untrusted interfaces as trunked may expose network traffic to an unauthorized, or unintended, connected endpoint. Access interfaces can belong to a single VLAN rather than the multiple VLANs supported by trunks, which limits potential exposure to a smaller subset of the total network traffic. Access interfaces also behave differently than trunked interfaces, especially with respect to control plane traffic. For example, access interfaces can be marked as "edge" for protocols like Rapid Spanning Tree (RSTP) or Multiple Spanning Tree (MSTP) where specific protections can be applied to prevent the switch from accepting Bridge Protocol Data Units (BPDU) from unauthorized sources and causing a network topology change or disruption. Additionally, network level protection mechanisms, like 802.1x or sticky-mac, are applied to access interfaces and these protection mechanisms help prevent unauthorized network access.

Description

By default, unconfigured (or expressly disabled) Junos interfaces are unusable. Any enabled interface configured with the family ethernet-switching uses interface-mode access by default, which meets this requirement. Trunked interfaces must be explicitly configured for operational requirements (e.g., interswitch links), which makes them trusted and not user-facing. Configuring enabled user-facing or untrusted interfaces as trunked may expose network traffic to an unauthorized, or unintended, connected endpoint. Access interfaces can belong to a single VLAN rather than the multiple VLANs supported by trunks, which limits potential exposure to a smaller subset of the total network traffic. Access interfaces also behave differently than trunked interfaces, especially with respect to control plane traffic. For example, access interfaces can be marked as "edge" for protocols like Rapid Spanning Tree (RSTP) or Multiple Spanning Tree (MSTP) where specific protections can be applied to prevent the switch from accepting Bridge Protocol Data Units (BPDU) from unauthorized sources and causing a network topology change or disruption. Additionally, network level protection mechanisms, like 802.1x or sticky-mac, are applied to access interfaces and these protection mechanisms help prevent unauthorized network access.

ℹ️ Check
Review the switch configuration and examine all enabled user-facing or untrusted interfaces configured with family ethernet-switching. 1. Interfaces implicitly configured with "interface-mode" access and family ethernet-switching. Note: The default interface-mode is "access". user@host> show configuration interfaces <interface name> { unit 0 { family ethernet-switching { } } } 2. Interfaces explicitly configured with "interface-mode" access and family ethernet-switching. user@host> show configuration interfaces <interface name> { unit 0 { family ethernet-switching { interface-mode access; } } } If any of the enabled user-facing access interfaces are configured as a trunk, this is a finding.

ℹ️ Check

Review the switch configuration and examine all enabled user-facing or untrusted interfaces configured with family ethernet-switching. 1. Interfaces implicitly configured with "interface-mode" access and family ethernet-switching. Note: The default interface-mode is "access". user@host> show configuration interfaces <interface name> { unit 0 { family ethernet-switching { } } } 2. Interfaces explicitly configured with "interface-mode" access and family ethernet-switching. user@host> show configuration interfaces <interface name> { unit 0 { family ethernet-switching { interface-mode access; } } } If any of the enabled user-facing access interfaces are configured as a trunk, this is a finding.

✔️ Fix
Disable trunking on all enabled user-facing or untrusted access interfaces. Delete "interface-mode" from an enabled user-facing or untrusted interface to inherit the default access mode. user@host> configure user@host# delete interfaces <interface name> unit 0 family ethernet-switching interface-mode Alternatively, explicitly set the enabled user-facing or untrusted interface mode to access. user@host> configure user@host# set interfaces <interface name> unit 0 family ethernet-switching interface-mode access

✔️ Fix

Disable trunking on all enabled user-facing or untrusted access interfaces. Delete "interface-mode" from an enabled user-facing or untrusted interface to inherit the default access mode. user@host> configure user@host# delete interfaces <interface name> unit 0 family ethernet-switching interface-mode Alternatively, explicitly set the enabled user-facing or untrusted interface mode to access. user@host> configure user@host# set interfaces <interface name> unit 0 family ethernet-switching interface-mode access